IPv6-over-IPv4 Architecture

ABSTRACT

Mobile clients can execute IPv6 applications in an IPv4 environment without the need for any specialized IPv6 hardware or upgrades to the network infrastructure. The architecture provides a seamless, disruption-free connectivity experience for mobile clients. Mobile clients are automatically connected to other mobile clients irrespective of their network connectively, whether wireless, wire line, IPv4, IPv6, public or private. Mobile clients communicate with other mobile clients using a secure, end-to-end IPv6 tunnel. This creates a persistent VPN connection between two clients using software.

CROSS-REFERENCE TO RELATED APPLICATION

This patent application is a continuation of U.S. patent applicationSer. No. 11/468,281, filed Aug. 29, 2006, issued as U.S. Pat. No.7,810,149 on Oct. 5, 2010, which claims the benefit of U.S. provisionalapplication 60/596,077, filed Aug. 29, 2005, which are incorporated byreference along with all other references cited in this application.

BACKGROUND OF THE INVENTION

The present invention relates generally to networking and Internetprotocol communication and services and, more specifically tofacilitating secure Mobile Internet Protocol version 6 communicationservices over an Internet Protocol version 4. The invention alsoincludes a new application development environment which simplifies thedevelopment of new services for portable computing devices (e.g., PC,PDA, and smart phones).

Data networking has been one of the most successful and widely adoptedtechnologies of the information age. Computers and devices may “talk” toeach other and transfer data through the network, which in turnfacilitates electronic commerce, the Internet, and much more.

There are currently two versions of internet protocol in use: theexisting Internet Protocol version 4 (“IPv4”) and a new InternetProtocol version 6 (“IPv6”). IPv6 is expected to gradually replace IPv4,but the two versions will coexist for a number of years during thetransition period. Thus, enabling IPv6 communication over an IPv4network during the transition period when the two versions coexist is animportant concern among users of the Internet.

One of the primary drivers in the deployment of IPv6 is that it enablesimproved device mobility over IPv4. Currently mobility in IPv4 (alsoknown as Mobile IPv4) requires the deployment of special hardware knowas “foreign agents” in every network that a user might roam into.Subsequently the high cost of adding Mobile IPv4 features to existingnetworks has been a barrier to deployment. Conversely IPv6 supportsdevice mobility without the need for special hardware as the mobilityfeatures have been incorporated into the protocol itself. Unfortunatelythe deployment of native IPv6 networks is quite limited.

Despite the success of networking, there is a need to improve networktechnology, especially secure networks so data may be securelytransmitted from one point to another point in a network. And it isdesirable that this secure network is easy for a user to set up.Therefore, there is a need to create a secure, easy-to-use end-to-endpersistent connection between portable computers and networkedappliances.

BRIEF SUMMARY OF THE INVENTION

To address the dilemma of leveraging the benefits of mobile IPv6 in anIPv4 network, a system and method of operation referred to as PIANO (forPortable Internet Architecture as a Network Overlay) is presented.Mobile clients can execute IPv6 applications in an IPv4 environmentwithout the need for any specialized IPv6 hardware or upgrades to thenetwork infrastructure. The architecture provides a seamless,disruption-free connectivity experience for mobile clients. Mobileclients are automatically connected to other mobile clients irrespectiveof their network connectively, whether wireless, wire line, IPv4, IPv6,public or private. Mobile clients communicate with other mobile clientsusing a secure, end-to-end IPv6 tunnel. This creates a persistent VPNconnection between two clients using software.

The invention provides an end-to-end virtual private network (VPN)architecture and application framework. In an implementation, a virtualprivate network service is designed to create a secure end-to-endpersistent connection between portable computers and networkedappliances. The network establishes a secure end-to-end connectionwithout the need for VPN or IPsec gateways to establish the connection,thus enabling an end-to-end secure connection that is persistent andworks over firewalls and network address translations (NATs). Thenetwork achieves secure end-to-end connectivity by using a secure IPv6tunnel over IPv4-based Internet networks and also over IPv6 networks.The system allows for mixed environments. The IPv6 tunnel enables filesto be transferred or Internet services to be activated for any Internetconnected location.

The invention provides methods for deploying and developing mobile IPv6applications in IPv4 networks. The mobile IPv6 application is able tooperate in a native IPv4 network without the existence of any IPv6routers or special network devices. Many standard mobile IPv6 featuressuch as route optimization (direct client-to-client connectivity) andnomadic roaming (moving without losing IP connectivity) usuallyavailable in IPv6 networks are available in the IPv4 network.Additionally the method also has provides new features that improvesecurity (by restricting the distribution of addressing informationthrough the creation of private user groups) and simplifies applicationdevelopment (by new APIs) for mobile IPv6 applications.

In an embodiment, the invention is a method including: providing a homeagent server, connected to an IPv4 network, managing a plurality ofgroups of IPv6 clients; providing a first IPv6 client and second IPv6client connected to the home agent via the IPv4 network, where the firstand second IPv6 clients are in a first group; from the first IPv6client, sending to the home agent an IPv4 address and IPv6 addressassociated with the first IPv6 client; from the second IPv6 client,sending to the home agent an IPv4 address and IPv6 address associatedwith the second IPv6 client; when the first and second IPv6 clients areconnected to the home agent server, implementing a first IPv6 tunnel inthe IPv4 network between the first IPv6 client and the second IPv6client; and from the first IPv6 client, transferring data in anencrypted form using the first IPv6 tunnel directly from the first IPv6client to the second IPv6 client, where the data does not pass throughthe home agent server.

In an implementation, the first client implements the first tunnelwithout using the home agent server. The first client is typicallysoftware or an application running on a computer, PDA, phone, or otherelectronic device. During a binding update procedure, the home agentdisseminates to all the clients within a group the IPv6, public IPv4,and private IPv4 info for every connected client in the group. Usingthis information, a client can create the IPv6 tunnel to connect toother clients in the group. From this information, the client candetermine whether firewall such as NAT firewalls are present take thenecessary actions to make a connection. A direct end-to-end connectionbetween a sending and receiving client is desired, but sometimes notpossible, perhaps because of a firewall. Then, a connection between thesending and receiving clients may be reflected using the home agentserver. Since the client attempts to implements the tunnel and does notinvolve the home agent server (except in the reflection situation), thehome agent is subject to less processing burden, freeing up the homeagent to handle other tasks. In fact, two clients may be connectedtogether and the home agent would not necessarily know of theconnection.

The home agent server also has a cache so that then the second IPv6client becomes disconnected from first IPv6 client, the first IPv6client will recognize this and implement a second IPv6 tunnel in theIPv4 network between the first IPv6 client and the home agent server.Even though the second IPv6 client is no longer on-line, the first IPv6client will continuing transferring the data in the encrypted form usingthe second IPv6 tunnel to a data cache at the home agent server. Thedata will be held in the cache for the second IPv6 client. So when thesecond IPv6 client is connected again and performs a binding update withthe home agent, the data in the cache from the first IPv6 client is sendto the second IPv6 client using a third IPv6 tunnel. The data remainsencrypted the entire transmission path and while it resides in thecache. The home agent does not decrypt the data. This enhances securityand reduces processing burden on the server. By providing a cache, datamay be transmitted or streamed regardless of whether clients areon-line, thus enhancing the reliability of the network and datatransmission.

The home agent has additional security by dividing the clients intodifferent groups. These groups may be called closed user groups. Clientswithin a group may be aware and connect to each other. However, clientsof different groups do not know about each other. Furthermore,operations such as a binding update and commands such as PUBLISH(described below) will only disseminate information only to clientswithin the same group. A client may be a member of one or more groups.

Upon connecting to the network, a client performs a binding update withthe home agent. During the binding update, the client sends its IPv6address and private IPv4 address (IPv4 address the client knows about)to the home agent. The home agent know the public IPv4 address of theclient. The home agent disseminates the IPv6, public IPv4, and privateIPv4 addresses to all the clients within the group. In someimplementations of a binding update, the client may also send a cookieto the home agent for authentication purposes.

Based on information received during binding updates, each client caninitiate connections with other clients in the same group. Theinformation from the binding update may be used by a client to determinewhether it is behind a NAT firewall or a receiving client is behind aNAT firewall. If both sending and receiving clients are behind the sameNAT firewall (i.e., have the same public IPv4 address), then the clientscan connect using the private IP addresses. If one of the clients thatis to be connected is behind a NAT firewall and the other is public, the“public” client will make a connection to the “private” client. And ifboth clients are behind different NAT firewalls, then the clients willreflect off the home server.

In an end-to-end connection, data is transmitted directly using a tunnelfrom a sending client to a receiving client directly. The data does notpass through the home agent. Reflecting off the home agent server refersto passing data from the sending client to the receiving client throughthe home agent server. The data will be encrypted as if the connectionwhere an end-to-end connection. Data will remain encrypted as it ispassed through the home agent. The home agent does not decrypt andreencrypt the data, thus maintaining lower processing overhead.

An aspect of the invention is that the applications running on eachclient may be IPv6 applications and the client facilitates execution ofthese IPv6 applications in IPv4 network. To the applications, they areunaware they are working in an IPv4 environment. As far as theapplication is concerned it is operating in a pure IPv6 environment. Thearchitecture of the invention including the home agent, client software,binding update, and other features facilitate operating the ability torun IPv6 applications in IPv4. Furthermore, the architecture also allowshybrid environments. For example, some clients to the home agent may bein a pure IPv6 environment and other clients are in an IPv4 environment.The home agent of the invention permits connectivity between clients indifferent environments.

In an embodiment, the invention is a method including providing a homeagent server, connected to a number of clients organized in groups, allconnected in a network; providing a set of commands including a PUSHcommand to transfer data from one of the clients in one group to anotherclient in the same group, a PUBLISH command to show clients in one groupfiles available to other clients in the same group, and a PULL commandto request sending of at least one file made available through thePUBLISH command from the client having the file; issuing a PUSH commandfrom a first client of in a first group to transfer data to a secondclient in the first group; when the second client is connected thenetwork, executing the PUSH command by transferring the data directlyfrom the first client to the second client; when the second client isnot connected the network, executing the PUSH command by transferringthe data to a data cache on the home agent server; and when the secondclient connects to the network, transferring the data from the datacache to the second client.

An implementation of the invention may have one or more of the commands,PUSH, PULL, and PUBLISH, in any combination. PUSH is a command that maybe used by an application to make a connection to another client.PUBLISH is a command that may be used by an application to publish ormake know to other clients with a group the files that are available onthe publishing client. For example, the publishing client may share oneor more files or even an entire directory. PULL is a command to requesta file from another client. For example, one client may want a file thathas been published by another client. Then this client issues a PULLcommand to obtain the file. In an implementation, the PULL command mayinvoke a PUSH command from the publishing client. The commands may becached when a client is off-line.

In an aspect, the invention is designed to create a secure end-to-endpersistent connection between mobile, fixed computers and othernetworked devices leveraging mobile IPv6 client-server software overexisting IPv4 networks.

In an aspect, the capabilities of the architecture supports a persistentend-to-end relationship between any two authorized clients, and thussupports session roaming from Wi-Fi to Wi-Fi and Wi-Fi to WiBro orWiMax, without the need for switching equipment.

In an aspect, the invention provides a secure virtual private networkenvironment for a range of consumer, SoHo, enterprise, and governmentapplications. PIANO establishes an end-to-end connection without theneed for IPsec gateway equipment in the middle, enabling end-to-endservices that are secure, persistent, and easy to use.

In an aspect, the invention is also an application framework. Withsimple application programming interfaces (APIs) or utilizing nativeIPv6, software developers can take advantage of the persistentconnectivity between portable computing devices to port existingservices or create new services.

In an aspect, an agent of the invention allows standard IPv6 and mobileIPv6 applications to run in an IPv6 environment. Features of mobile IPv6such as route optimization are supported. Mobile clients (also known asmobile nodes) of the invention will connect to other PIANO clients.Voice over Internet Protocol or VoIP services will connect to the publicswitched telephone networks (PSTNs) both wired and wireless through astandard VoIP gateway.

Other objects, features, and advantages of the present invention willbecome apparent upon consideration of the following detailed descriptionand the accompanying drawings, in which like reference designationsrepresent like features throughout the figures.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a high level overview of architecture of the invention.

FIG. 2 shows the new idea of having a service portal cofunctioning witha mobility server.

FIG. 3 shows a detailed overview of a mobility control functionality.

FIG. 4A shows a block diagram of system with a home agent server and twoclients.

FIG. 4B shows operation of a network according to the invention.

FIG. 5 shows operation of IPv6 route optimization over IPv4 networks.

FIG. 6 shows a dynamic data caching operation.

FIG. 7 shows an application framework.

FIG. 8 shows a graphical user interface for network contentapplications.

FIG. 9 shows an example of digital content distribution.

FIG. 10 shows an example of sensor networking.

FIG. 11 shows transparent IPv6 over IPv4 operation.

FIG. 12 shows a first installation screen.

FIG. 13 shows a second installation screen.

FIG. 14 shows a third installation screen.

FIG. 15 shows a first user screen.

FIG. 16 shows a view folders screen.

FIG. 17 shows a create group screen.

FIG. 18 shows a create content folder screen for other users.

FIG. 19 shows a share documents screen.

FIG. 20 shows a transmit detail screen.

FIG. 21 shows a check status screen.

FIG. 22 shows an options screen.

FIG. 23 shows transaction log screen.

FIG. 24 shows an interface screen for another user.

FIG. 25 shows examining another user's folder.

FIG. 26 shows downloading a document.

FIG. 27 shows a file status screen.

FIG. 28 shows a status update on a main screen.

DETAILED DESCRIPTION OF THE INVENTION

The invention provides an end-to-end virtual private network (VPN)architecture and application framework. A specific implementation ofsuch a network is the “Portable Internet Architecture as a NetworkOverlay” or “PIANO” from PIANO Networks. Although this patent describesthe invention with respect to a specific implementation, PIANO, theinvention may be embodied in other implementations and applications.Other implementations may include one or more of the aspects of theinvention, and may not include each and every feature described for thePIANO implementation.

PIANO is a virtual private network service designed to create a secureend-to-end persistent connection between computers, and betweencomputers and networked appliances. PIANO establishes a secureend-to-end connection without the need for VPN or IPsec gateways toestablish the connection—thus enabling end-to-end secure connectionsthat are persistent and work over firewalls and network addresstranslation gateways (NATs).

PIANO achieves secure end-to-end connectivity via the novel use ofsecure IPv6 tunnel over existing IPv4-based Internet networks. The IPv6tunnel enables files to be transferred (e.g., picture, documents) orInternet services to be activated (e.g., voice over IP) for any Internetconnected location. PIANO also facilitates the integration of IPv6devices or IPv6 networks, or both, with existing IPv4 based networks andclients.

In addition to being an end-to-end VPN service, PIANO is also anapplication framework. Via new simple application programming interface(API) commands, software developers can take advantage of PIANO's secureconnectivity to create new services such as GUI-based contentdistribution. GUI stands for graphical user interface.

PIANO provides a unique secure end-to-end VPN framework for a range ofconsumer, Small Office/Home Office (SoHo), enterprise, and governmentapplications:

Consumer and SoHo: Content management, file sharing, and data back-upservices between mobile laptops and desktops over Cable, DSL, orsatellite Internet connections.

E-commerce: Persistent secure connections for consumer access toe-commerce sites to enable trusted access (on-line banking, brokerageaccounts, and others).

Enterprise: Secure end-to-end VPNs to permit secure extranets and securefree end-to-end services such as file sharing, content distribution,VoIP, and voice conferencing, data back-up for laptops via securepersistent logical connection.

Government: IPv6 transition service to enable deployment of applicationsacross new IPv6 and legacy IPv4 networks.

Architectural Overview

FIG. 1 shows an overview of an architecture providing support for IPv6and mobile IPv6 applications over an IPv4 network. A specificimplementation of this architecture is the PIANO architecture and isdiscussed merely to provide an example of the invention. Otherimplementations of the invention may incorporate some of the features ofdiscussed for PIANO and may include additional or different features.Using the PIANO architecture, the IPv6 applications execute in an IPv4environment, and they may be completely unaware they are operating inthe IPv4 environment.

The PIANO architecture is formed by the incorporation of key components.The PIANO glue logic allows the enablement of all these components intoa novel approach for secure, mobile end-to-end, peer-to-peercommunications.

FIG. 2 shows a service portal functioning with a home agent server(e.g., PIANO mobility server). These can reside as separate entities orcoexist physically together. The service portal will allow for serviceinitiation and registration. It will provide the end devices IPv6address space and allow for account creation, modification, anddeletion. Together with the PIANO mobility management server entity,group creation is tightly coupled on top of the mobility plane. Aspecific implementation of the invention provides a tight coupling ofthe mobility plane with group creation and management by using a serviceportal and PIANO server. However in other implementation, there may be adifferent configuration of the logical components of the architecture.

FIG. 3A shows a detailed overview of the PIANO mobility controlfunctionality. Here on-demand end-to-end mobility tunnels are created,updated, and deleted based on the movement of the PIANO clients. Tunnelcreation from one PIANO client to another must be authorized by firstdetermining if this client node is able to setup an end-to-end tunnelwith this particular peer. One this decision is made, a tunnel may besetup or in the case of it is not valid to carry out this operation, arejection message for this service is made. The tunnel may be optionallysecured at various levels.

FIG. 4A shows a more detailed block diagram of system with a home agentserver (i.e., PIANO server) and two mobile clients, which are sometimesreferred to mobile nodes (MN).

The PIANO architecture includes two components:

(1) A PIANO client (which may be referred to as a mobile client) residesin a networked computer such as a laptop, desktop computer, server,personal digital assistant (PDA), or smart phone. The client may also bea networked appliance like a storage server, a Wi-Fi enabled digitalcamera, or cable or DSL CPE modem. The PIANO client is identified via aunique IPv6 address that is used to connect to other PIANO clients viaIPv6-over-IPv4 tunnels. In addition to creating secure end-to-endtunnels with other PIANO clients, the client supports an applicationprogramming interface (API) and native IPv6 interface for IPv6applications.

In a specific implementation, the mobile client is implemented usingsoftware, but in other implementations, the mobile client may beimplemented in firmware or hardware. As shown in FIG. 4A, when operatingin an IPv4 environment, the IPv6 applications (i.e., PIANO applications)interface from the mobile client application (i.e., PIANO MN), whileIPv6 application can interact directing to the network. To make anend-to-end IPv6 connection in the IPv4 environment, the IPv6 applicationuse agent and client software of the two clients. Also, the home agentserver sends and receives information to facilitate IPv6 connectionsunder IPv4 to the mobile clients.

The PIANO client functions include: (i) Internet connection monitor toinitiate and maintain the PIANO network IPv6 connection and itsassociated IPv4 “care of address”; (ii) mobile IPv6 based client tomanage IPv6 mobility and end-to-end (or peer-to-peer) connections; (iii)graphical user interface to activate and manage user services; (iv)encryption and decryption of communications with other PIANO clients andcontrol messages with the PIANO server; and (v) PIANO user services suchas FTP for file transfers.

(2) A PIANO server (which may be referred to as a home agent server) isresponsible for maintaining the database of PIANO client IPv4 addresses.Whenever a PIANO client gets an active IP link it automatically connectsto the PIANO server and sends a binding update of its current IPv4address. The PIANO server then forwards the binding update informationto other mobile clients that belong to the group (e.g., family memberssharing photos and digital videos).

A system of the invention may include a server or device including oneor more of the functions discussed, in any combination. The functionsmay be implemented using different or separate servers. One or more ofthe functions may be implemented using software, hardware, or infirmware. The PIANO server may sometimes be referred to as a home agent(HA) server. The functionality of the PIANO server or home agent serverincludes:

(i) A web server front end to allow new users to register for PIANOservices. The web server provides an easy-to-use user interface. Thehome agent assigns a unit IPv6 address for each mobile client. See belowfor a further discussion.

(ii) A client authentication directory to maintain the list ofauthorized mobile clients, and their attributes.

(iii) A home agent component for mobile clients (PIANO clients) providesaddress resolution for PIANO clients. The home agent is the component ofthe PIANO server that maintains the directory of authorized PIANOclients or mobile clients, validates their IPv6 address, and detects andrecords the mobile clients' current IPv4 address. Whenever a mobileclient recognizes an active IP link, it automatically connects to thePIANO server's home agent and sends a binding update (BU) with itscurrent IPv4 address (public and private address components) andmaintains a record of other attributes for each client device.

The home agent records and maintains a real-time record of the mobileclient's IPv4 care of address in addition to the dedicated IPv6 addressand the user assigned user ID. A care of address is allocated to amobile client when the mobile client moves its attachment point to adifferent subnet.

This allows other mobile clients to search and locate the mobile clientsto set up an IPv6 tunnel for services.

A binding update occurs when a mobile client connects to the network.During a binding update operation with the home agent, a mobile clientsends the home agent its IPv6 address and IPv4 address. This IPv4address may be referred to as a private IPv4 address because this is theIPv4 address the client itself has been assigned. This may not be itspublic IPv4 address because the mobile client may be behind a firewallsuch as a NAT firewall. In this situation, the mobile client typicallydoes know the public IPv4 address it is associated with.

However, the home agent is able to determine the public IPv4 address ofthe mobile client. As part of the binding update, the home agentprovides the IPv6 address, private IPv4 address, and public IPv4 addressto other clients in the same group. The mobile clients can use thisinformation to make end-to-end and other connections, without needing toinvolve the home agent. This reduces the processing overhead required bythe home agent, so a home agent can handle more mobile clients.

In a specific implementation, during the binding update, the mobileclient also sends a cookie to the home agent, which is used to helpauthenticate the mobile client. This cookie was provided to the mobileclient upon the setting up of the account. This cookie is typically anencrypted file or message that is stored at the mobile client. If thecookie does not match what the home agent expects for that particularmobile client, there is a potential security violation and the homeagent will disallow further access to its network by the mobile client.

(iv) An IPv6 router. The PIANO server forwards traffic betweenIPv6-over-IPv4 tunnels without needing to decrypt the IPv6 payload. Datais “reflected” or “bounced” off the home agent server. This reflectionfunction provides the connectivity for PIANO clients when aroute-optimized direct end-to-end tunnel cannot be established. In otherwords, when a direct end-to-end connection is not available, the data issent from a sending client to the home agent, which forwards the data onto the receiving client.

Furthermore, this router forwards traffic between IPv6-over-IPv4 tunnelswithout needing to decrypt the IPv6 payload. Operations such asencryption and decryption are typically processing and computeintensive. Since the architecture of the invention permits data to betransmitted in its original encrypted format, the home agent hasrelatively less processing overhead. This allows a home agent to handlemany more clients than if the home agent had to decrypt and encrypt datawhen transferring data between clients.

(v) The PIANO server provides caching for occasions when a file is sentto a destination PIANO mobile client that is off-line. This cache tostores data temporarily, until the receiving client comes on-line orbecomes reconnected the network. In an implementation, this cacheresides on the same system as the home agent. However, in otherimplementation, this cache may be on a different or separate system. Forexample, this cache may reside on a different server, hard disk, memory,network attached storage (NAS) device, or other.

More specifically, when a mobile client sends a file, its buddy listinformation (received from the PIANO server) will tell it that thereceiving node is off-line, so the file will be sent to the PIANOserver. When the target receiving node comes on-line, and announcesitself to the server via a binding update, the PIANO server sets up atunnel to the destination receiving node, and the file transfer iscompleted. The PIANO cache will retain a copy of the file until transferto the receiving node is completed. Thus if the transfer is interrupted(receiving client goes off-line), the transfer will continue on when thereceiving client comes back on-line.

This feature provides additional reliability to the system. In a mobileenvironment, the network connectivity is often poor and so clients arelosing and reestablishing connectivity to the network. For example, theuser may be walking from one Wi-Fi location to another location. Thecaching feature of the invention allows data to be sent by the sendingclient without needing the receiving client on-line. The receivingclient may be off-line at the start or at any time during thetransmission. The data will be sent to the home agent cache and storedthere until the receiving client connects. Then, the data will bedelivered to the receiving client.

Similar to the situation when reflecting data off the PIANO server, whenusing the cache feature, the communication between the mobile clients issecure. The data will remain fully encrypted from the sending client tothe server, and from the server to the receiving the transmitted data.The server does not decrypt the data, but rather the data is stored inthe cache in an encrypted format.

The communication between the mobile clients is secure because the willthe data will remain fully encrypted from the sending client to theserver and from the server to the receiving the transmitted data. Theserver does not decrypt the data, but rather the data is stored in thecache in an encrypted format.

(vi) Authorization, billing, and management server to set up new groupsor add or delete individual users from a group. Administration andmanagement web server access to monitoring statistics and faultanalysis.

Piano Operation

FIG. 4B shows operation of a network according to the invention. Morespecifically, the figure shows PIANO, a specific implementation of theinvention.

Referring to reference number 1 of FIG. 4B, when the PIANO clientdetects an active IP connection it sends a tunnel set-up message to thePIANO server. The server uses the message to determine the source IPv4and UDP port address of the client.

Referring to reference number 2 of FIG. 4B, the PIANO server updates itsdirectory with the new public and private IPv4 address and source UDPport of the client. The server also updates the client with any newgroup information (i.e., add or delete plus current IPv4 address).

Referring to reference number 3 of FIG. 4B, the PIANO server informs theclients' group members of the new location of the client by forwardingan encrypted binding update message with the public and private IPv4 andUDP port address.

Referring to reference number 4 of FIG. 4B, the PIANO clients set upsecure IPv6 over IPv4 end-to-end tunnels with other clients in theirgroup. The PIANO clients have a route optimization feature that createsa direct end-to-end tunnel if one or both clients have a routableaddress. If both clients are in the same private network, the clientswill use the private address to make a direct connection.

If the two clients are on different private networks, however, then thetraffic will reflect off the PIANO server. Note that even if the trafficis reflected off the PIANO server, the tunnel is encrypted on anend-to-end basis.

Tunnel Set-Up Message

To establish secure tunnels between the PIANO client and the PIANOserver, a new type of tunnel establishment message is used. Theinformation contents of the message help validate the client as well asprovide the server the necessary information to send binding updates toother clients to enable end-to-end communications. The client sends anIPv4 UDP message containing the following elements to the PIANO server:

(1) IPv6 address;

(2) IPv4 address;

(3) UDP port number; and

(4) cookie.

Note that the message payload may be encrypted for added clientsecurity. Once the server receives the message, then the server:

(1) Checks the cookie and IPv6 address match. The server will thenacknowledge message receipt via return cookie to the source IPv4address.

(2) Compares the source IPv4 address and transmitted address todetermine if the client is in a public or private network.

(3) If the server receives multiple set-up messages from the same IPv4address, it then uses the source UDP port number to distinguish multipleclients operating in the same private network.

The server uses the information in the tunnel set-up message to (1)establish a secure tunnel with the client and (2) send a binding updateto the clients group so that they may establish route optimizedend-to-end link.

The tunnel set-up message is initiated when client devices are turned onas well as when IP changes are detected (e.g., user walking with Wi-FiPDA). Consequently, PIANO enables nomadic mobility and roaming over bothpublic and private networks.

Architectural Details

Standards govern IPv6 and IPv6 over IPv4 tunnels. The PIANO architecturefurther has in addition to the standards: (1) logic to enable end-to-enddata transfers without the need to reflect off of a server, and (2) atype of data cache to facilitate data transfer between clients that maynot be simultaneously on-line.

IPv6 Route Optimization over IPv4 Networks

FIG. 5 shows the operation of IPv6 route optimization over IPv4networks. To enable end-to-end data transfer with a topologicallyoptimal network, the PIANO clients execute route optimization over IPv4.When PIANO clients connect to the PIANO server they get an update of thelocation of their group clients. This binding update format, containsthe IPv6 address, private IPv4 address, and public IPv4 address andsource UDP port address. The client then attempts to establish a secureend-to-end tunnel with the other clients within the same group using theaddressing information.

If one or both PIANO clients have a routable IPv4 address, a secureend-to-end tunnel is established using the public IPv4 address. Insituations where both clients are behind the same NATs, then a secureend-to-end tunnel is established using the private address. If theclients are in different private networks then the traffic is reflectedoff the server. However, even in the case where the tunnel is reflected(i.e., clients behind different NATs), the encryption is stillend-to-end as the server forwards the packets without terminating thetunnel.

To mitigate the risk of a denial of service (DOS) attack on clients,control data is sent via a secure channel reflecting off the server (todetermine authenticity).

Dynamic Data Caching

FIG. 6 shows a dynamic data caching operation of the invention. Tofacilitate large content transfers between clients that are not on-linesimultaneously the PIANO server has incorporated a data cache. PIANOclients continually get binding updates from the server of the locationof group users. Thus when clients wish to send data, they first checktheir local binding cache to establish an end-to-end route optimizedconnection. If that fails, the clients then attempt a reflectedconnection off the server. If that fails, data cache accepts the IPv6packets.

Unlike previous caching solutions, the PIANO data cache stores theentire IPv6 packet stream, complete with secure payload. Thus when thedestination client comes on-line, IPv6 packets are automaticallyforwarded on the secure control channel. As the data caching solutiondoes not require signaling to either accept or forward packets, it canhandle large numbers of mobile users. Moreover, since end-to-endencryption is used for the payload, content stored at the data cache issecure. There is no capability to decrypt the content at the data cache.

PIANO Application Framework

In addition to providing secure connectivity between PIANO client, PIANOalso provides an application framework. FIG. 7 shows an applicationframework of the invention. PIANO clients have two types of programminginterfaces.

As a first interface, PIANO has a content interface that enables thedistribution of data to one or more clients. The commands for thecontent interface include:

PUSH: sends a file to one or more clients. The PUSH command leveragesthe secure end-to-end connectivity to deliver content directly to thedestination client. Should the destination client be off-line, theclient automatically sends the file to the data cache for laterforwarding.

PUBLISH: sends an index of files along with thumbnails available forremote download to one or more clients. Similar to PUSH, shoulddestination clients be off-line, the index is stored on the cache forlater pick up.

PULL: enables clients to remotely download PUBLISHED content from aremote client. PUBLISH sends a PUSH command to itself to the destinationnode. As a second interface, PIANO offers a clear channel IPv6 interfacethat enables transparent IPv6 over IPv4 operation. The IPv6 interfacehides the IPv4 network from the application and also re-creates all ofthe standard features found in an IPv6 network (e.g., DHCP messages).

With PIANO, user clients as well as IPv6 devices appear static; theirlocation and movement on IPv4 is hidden. For example, when using thePUSH command to send content from one device to another, the applicationdoes not have to worry about security, Firewall or NAT traversal, oreven if the destination device is on-line. Similarly, IPv6 applicationdevelopers can create and deploy software without worrying about6-over-4 tunneling or binding updates for mobile devices.

With the PIANO approach there is no need to have clients and/orapplications to maintain NAT mappings. PIANO provides completetransparency to the IPv6 apps communicating even if behind an IPv4 NAT.As part of the PIANO mobile IPv6 approach no special discovery oftransition service or translation will be required.

This approach in its basic form can be viewed as mobile IPv6 over IPv4(i.e., all of the mobile IPv6 features can be used an IPv4 network). Assuch, IPv6 network management tools don't have to learn about a newtransition protocol simply because they never need to know about theIPv4 network (i.e., it is hidden by PIANO). Special configuration of atransition method in the network is not required with this approach—oneonly needs to know how to configure mobile IPv6.

PIANO Content Application Examples

FIG. 8 shows a graphical user interface (GUI) for network contentapplications. In particular, there is GUI-based content distribution,publishing, file synchronization, and hard disk back-up.

Some personal file sharing solutions are either e-mail based (or useembedded e-mail clients) for small files (such as digital pictures ordocuments) or tools like FTP for large files (like digital videos),which require the destination device to be on-line. With PIANO, userscan move arbitrarily large amounts of content even if the sender orreceiver, or both, are off-line during transfer initiation. Applicationdevelopers can take advantage of PIANO's features to create new GUIbased services.

For file sharing, a user drags the file (such as a Microsoft PowerPointfile or 1 gigabyte movie) to the icon of the destination user. The PIANOclient then leverages the PUSH command to send the file to one or moredestination devices. For content publishing, a user can also send anindex of content available for download by leveraging the PUBLISHcommand. Destination clients can view thumbnails of the content byclicking on the icon of the sender. Users can then drag the file on toptheir desktop which activates the PULL command.

For file synchronization, shared files can automatically be synchronizedacross multiple PIANO clients by combining a DELTA or SNAPSHOT back-upalgorithm with the PUSH command. Thus whenever the original documentgets modified, an updated is automatically PUSHed to all mobile clientsthat have received an earlier copy.

For hard drive back-up, in addition to dragging individual files, usercan also drag an icon of an entire directory or device image to the iconon another device and PIANO will transmit all the data. PIANO can alsorun file synchronization as an option to ensure that user devices arefully backed up till the last time they had an IP connection.

Networked Appliances

In addition to running in open user devices like PCs or PDAs, PIANOclients can also be embedded into devices.

For example, referring to FIG. 9, for digital content distribution, byembedding a PIANO client inside a Wi-Fi-enabled digital camera, photoscan automatically be delivered to other users when walking past a hotspot. Further, a client could also be embedded into a Wi-Fi digitalpicture frame, thus enabling a digital photo to be delivered right fromthe capture device into a viewing device at a remote site.

To send photos, users would simply select which images they wish to sendand then the PIANO client would leverage the PUSH command to transmitthe file. Users could also PUBLISH all of their photos to a distributionlist. Destination clients would receive a thumb nail of the image whichthey could then PULL down from the camera.

FIG. 10 shows an example of sensor networking. For sensor networking,PIANO clients can also be used as network gateway for devices that donot have IP connectivity. For example, sensor networks that leverageeither proprietary or standards based on 802.15 protocols could locallyconnect to a PIANO client embedded into a gateway. This gateway couldPUSH sensor data to a remote management device or distribute controlcommands to the sensors from any Internet connection.

Transparent IPv6 Over IPv4 Operation

In addition to supporting content distribution and networked applianceapplications, PIANO can also be used by IPv6 application developers whowould like to deploy their software on IPv4 networks. By leveraging theIPv6 interface of the PIANO client IPv6 applications can connect toapplication servers with complete transparency and over IPv4 NAT'edlinks. See FIG. 11.

With the PIANO approach, there is no need to have clients orapplications, or both, to maintain NAT mappings. PIANO provides completetransparency to the IPv6 apps communicating, even if behind an IPv4 NAT.As part of the PIANO mobile IPv6 approach, special discovery oftransition service or translation will not be required.

This approach in its basic form can be viewed as mobile IPv6 over IPv4(i.e., the mobile IPv6 features can be used an IPv4 network). As such,IPv6 network management tools do not have to learn about a newtransition protocol simply because they need not know about the IPv4network (i.e., it is hidden by PIANO). Special configuration of atransition method in the network is not required with this approach;knowing how to configure mobile IPv6 is sufficient.

E-Commerce and Service Provider Applications

Personal E-commerce Portal: The PIANO architecture can also be used tocreate a secure GUI for E-commerce applications. For example, financialservices companies could PUSH a users personal stock data as well asinformation documents and videos into the client. The user could thenaccess the data from within the GUI and PUSH stock transactions whichwould be sent back to the application server.

Proxy Security Services: While desktop PCs can be secured behindfirewalls and virus scanners, this is much more difficult for mobileworkers. Enterprises must either back-haul traffic to their facility orcontinuously attempt to update mobile computers. Both solutions beingcumbersome. With PIANO, the web browser is rerouted to the PIANO servervia IPv6 over IPv4 tunnel where virus scanners and SPAM blockers arelocated. The PIANO architecture enables common policy enforcementwithout the need to back-haul mobile PC traffic to the enterprise.

Metro Wi-Fi/WiMax Mobility: currently service providers use VLANswitches to create mobility for metro Wi-Fi and WiMax users. VLANswitches back-haul traffic to either a central or originating switch.With PIANO, VoIP sessions, for example, would automatically reestablishand route optimize with mobile users and SIP gateways without the needof a VLAN switch. Running on PDAs or small portable computers, PIANOusers would experience 3G like services at a fraction of the cost ofcellular 3G services. Moreover even if a user roamed right out of themetro network into a private residential Wi-Fi environment, the serviceswould automatically reestablished.

Secure SIP VoIP Communications: Enterprises like peer-to-peer VoIP dueto the cost savings but often do not deploy them due to the securityconcerns as well as Firewall/NAT connectivity issues which sometimesmake hotel and hot spot access a problem. Unlike current peer-to-peerVoIP services, PIANO clients identify themselves to users in othergroups. PIANO clients know if other clients of their group are on-line,and how to set up a VoIP session. Leveraging PIANO, enterprises canenjoy secure connectivity without risk of voice call interception oreavesdropping. Moreover the route optimization capabilities enable SIPcalls to go peer-to-peer, thus eliminating unnecessary back-haul to datacenters or transiting unknown third-party computers.

PIANO Server and Client Interaction

In addition to the initial registration of a new client on the webserver (also known as a service portal) and PIANO server, the client andserver will interact to set-up the IPv6 tunnels between PIANO clients.

Signaling and Message Flow

The home agent is a component of the PIANO server which manages theauthorization and address information to allow the mobile clients (e.g.,PIANO clients) to connect. The home agent waits for requests from themobile clients. Following are the four different types of messages: (1)tunnel create requests from the mobile client; (2) binding update fromthe mobile client; (3) binding cache query from the mobile client; and(4) binding cache query from a diagnostic tool such as the amipdiagtool.

Mobile Client Signaling Flow for Tunnel Creation

The mobile client initializes its internal data structures and tries tocreate an IPv6-in-IPv4 tunnel with the home agent. To create such atunnel, it sends a TUNNEL CREATE request to the server. This is an IPv4UDP packet that contains the following: (1) IPv6 address of the mobileclient; (2) cookie (installed with the PIANO client install); and (3)IPv4 address of the mobile client (to detect NAT).

On receiving this request, the home agent checks to see if the requestis valid (checking the appropriate fields in the directory). If it is avalid request, it checks to see if the IPv6 address is valid and alsochecks to see if the cookie is a valid cookie for this mobile client. Ifit is valid, then the home agent checks to see if there is a tunnelalready set up for this mobile client. If so, it cleans up and creates anew tunnel for the mobile client.

The home agent also checks to see if the IP address contained in therequest and matches the one contained in the IP header. If not, itassumes that NAT is present. If a NAT is present, it creates anIPv6-in-IPv4-UDP tunnel, otherwise an IPv6-in-IPv4 tunnel.

In its response, the home agent sends the response (success or failure)code and also whether it detected a NAT. It also generates a new cookiefor future requests from the mobile client. This prevents a potentialattacker from knowing a single cookie to launch attacks.

When the mobile client receives the response from the home agent it doesthe validity check for the response message. If it is valid, it recordsthe new cookie and creates the IPv6-in-IPv4-UDP tunnel or IPv6-in-IPv4tunnel, depending on whether NAT is present or not.

Now, the mobile client is ready to send IPv6 packets as the tunnel isUP. The mobile client also sends NAT keep alive packets to keep thetunnel UP (otherwise, NAT will shut down the UDP flow and packets fromthe home agent cannot reach the mobile client).

In an embodiment, UDP port number 6100 is used for encapsulating theIPv6 packet in UDP packet. However, in other embodiment, any availableport may be used.

Once a user wishes to initiate a service (e.g., the user drags and dropsa file on a destination or receiving client folder in the GUI) betweenhis client and another PIANO client, the PIANO client requests a tunnelfrom the server which then establishes the end to end tunnel between thetwo clients. Then the application can be initiated.

Binding Updates

Referring to the FIG. 4B, if either of the PIANO clients (labeled as“PIANO” clients in the diagram) detects a change in their IPv4 address,it will notify the PIANO server, which will update its binding cache.The IPv6 link will stay active, and the application will pause andcontinue after the new IPv4 μlink has been established (DHCP processesand the like). The IPv4 address would change if the user moved from oneWi-Fi hotspot to another, or if the user's IPv4 address assigned by theISP changed (many ISPs use a round robin sharing routine and may changeassigned IPv4 addresses).

The mobile client sends a binding update (BU) as soon as the tunnel iscreated. It is a standard mobile IPv6 binding update but has an IPv4care-of address option. This tells the home agent that it is currentlyreachable over IPv4. The home agent processes the binding updateappropriately (as per RFC 3775) and sends the binding acknowledgement.The binding update itself is transported over the IPv6-in-IPv4 tunnel.If the mobile client was on the IPv6 network, then the binding updatewould have been sent over IPv6 directly.

The mobile IPv6 client code does not know how the packet is transported.It is controlled by the previous step. In particular, a tunnel getscreated if the access network is IPv4 and it is transparent to themobile IPv6 code. In an implementation, a lifetime is set to fiveminutes. The mobile client reports binding updates to the home agentevery five minutes (this setting can be changed, regardless of whetherthere are any changes). If the mobile client has an IPv4 address changeit notifies the home agent immediately (approximately one second) withthe new binding update information. In other implementations, thelifetime may be set to another value.

When the binding update is sent, a user ID is also sent with the update.A maximum of 64 bytes can be given in the user ID. The mipdiag commandshows the uUser ID also along with the IPv6 address and makes debuggingeasier.

End-to-End (E2E) Tunnels

The mobile client supports creating end-to-end tunnels with itsreceiving node when they both have a public network address, or whenboth are behind the same NAT. Receiving nodes are sometimes referred toas correspondent nodes (CNs). For all other cases the sending client toreceiving client connection is reflected off the PIANO Server. Thesending client (and receiving client) periodically checks the home agentto see if the information has changed and if so, updates the tunnel bydeleting and recreating it.

Binding Cache Query and End-to-End Tunnel

The mobile client queries the home agent to see whether other listedmobile clients (such as a buddy list) are on-line or not on-line (e.g.,whether they have registered a binding update and with the home agent).It does the query by sending an IPv6 UDP query packet (e.g., port number6100) to the home agent. The query contains the IPv6 address of thepeer. The response from the home agent contains the following: (1) IPv6address of the peer mobile client; (2) public IPv4 address of the peer;(3) private IPv4 address of the peer; and (4) binding cache expiry time.

In one implementation, a periodic timer value is four seconds. However,in other implementations, the periodic time value may have any value.The specific value for the period time value will be selected based onthe probability of a user's address changing. As the probability of theuser's address will change goes up, the lower the periodic time valueshould be. For example, if the mobile client is on a wireless network,then the periodic time value may be 1 second, while if the mobile clientis on a home network, the periodic time value may be 10 seconds.

This information also explicitly also provides a “presence indicator” asto whether the peer node (e.g., buddy list member) is on-line or not.The folder is highlighted when the buddy is on-line and “grayed” whenthe buddy is off-line. See GUI section below for the graphicalrepresentation of this information. The mobile client maintains theabove information for all members of the buddy list.

When the mobile client receives the query information it finds out:

(1) If the public and private addresses are the same for both mobileclient and receiving client, then one or both have public IP addresses.

(2) If both have private IPv4 addresses different from their IPv4 publicaddresses, then if their private addresses are the same, they assumethey are behind the same NAT.

In both of the above cases they create the IPv6-in-IPv4 tunnel directlywith each other. This way a two-way tunnel is established between thepeer mobile clients. Packets flow directly between the mobile clientswithout home agent intervention.

If one of the above two cases are not valid (one of the pair has aprivate address, or both have private addresses but they are different),then the tunnel is reflected off the home agent.

The mobile client keeps querying periodically to see if the receivingclient's registration changes. If its state changes, it tears down theend-to-end tunnel and rebuilds it based on the above rules.

The mobile client uses the mn_query_ha_bc API to retrieve the contentsfrom the home agent.

Movement Detection

The mobile client can detect movement across IPv4 networks. In anembodiment, it relies on ifplugd, an external daemon which can work forwired and wireless networks. The ifplugd polls the network driver forchange of status periodically. When it detects a change, it executes apreconfigured action. When the action is expected, the mip64d getsnotified through its netlink socket which is monitored in its selectloop. When mip64d detects that a new address is configured on theinterface, it sends a tunnel update and a binding update to the homeagent. In a specific implementation, the mobile client assumes thatthere is only one interface on the mobile client that changes to UP andDOWN.

In an implementation, the mobile client does optimize the case where itmoves back to the same network. The mobile client attempts to use thepreviously valid address, and it that fails, the mobile node thenattempts to get a new IPv4 address from the network (e.g., using DHCP).It also updates the end-to-end tunnel if necessary.

Data Flow and IPSec

The packet format is as follows.

With NAT: IPv4 UDP IPv6 IPsec <Payload>

Without NAT: IPv4 IPv6 IPsec <Payload>

Security

In an embodiment of the PIANO software, all links between client andserver and client to client can be encrypted, including all IPv4 tunnels(used when a client connects to the Internet for authentication at thePIANO server, and to register the IPv6/IPv4 address binding), and allIPv6 tunnels over which flows user data. The encryption methodology willimplement a highly secure key exchange mechanism utilizing AESencryption methodologies, ensuring that all data is encrypted frommachine to machine, and the source machine encrypts uniquely for thetarget machine.

Additional Features of PIANO Architecture

Implementation of Closed User Groups” or “Groups”: Groups allowcommunities of PIANO client to establish a private Group for PIANOservices, similar to a VPN. Only PIANO members within the group mayconnect to each other for secure file sharing. Examples would be a smallbusiness that wishes to have a VPN amongst all employees to access ashared file server.

A home agent can manage any number of groups. There may be clients thatare members of two or more groups. The members of each group will onlyknow and have information about other members in the group.

Strong Security Architecture: In an embodiment, there is a strongsecurity architecture that leverages AES and a private key methodology,such that each PIANO client encrypts the data to be sent specificallyfor the destination PIANO Client.

Secure SIP VoIP Communications, including Conferencing: Enterprises likeVoIP due to the cost savings but often do not deploy due to the securityconcerns as well as Firewall/NAT connectivity issues which sometimesmake hotel and hot spot access a problem. Unlike other peer-to-peer VoIPservices, PIANO clients do not have to utilize the insecure method ofbroadcasting their IP address to identify themselves to other users.PIANO clients know exactly when other members of their group areon-line, and exactly how to set up a VoIP session. Leveraging PIANOsecure connectivity, Enterprises can enjoy secure connectivity withoutrisk of eavesdropping. Moreover the route optimization capabilitiesenable SIP calls to go peer-to-peer, thus eliminating unnecessarybackhaul to data centers or transiting unknown third party computers asis the case with Skype-like services

Proxy Security Services: While desktop PCs can be secured behindfirewalls and virus scanners, this is much more difficult for mobileworkers. Enterprises must either backhaul all traffic to their facilityor continuously attempt to update mobile computers (both solutions beingcumbersome). With PIANO, the web browser is rerouted to the PIANO servervia IPv6 over IPv4 tunnel where virus scanners and SPAM blockers arelocated. The PIANO architecture enables common policy enforcementwithout the need to backhaul mobile user traffic to the enterprise.

Wi-Fi/WiMax/WiBro Mobility: Currently service providers purchase VLANswitches to create mobility for metro Wi-Fi and WiMax users. VLANswitches are expensive as well as backhaul traffic to either a centralor originating switch. PIANO VoIP sessions would automaticallyreestablish and route optimize users and SIP gateways without the needof a VLAN switch. Running on PDAs or small portable computers, PIANOusers would experience 3G like services at a fraction of the cost ofcellular 3G services. Fast handoff functionality and dual mode handsetsmust be implemented to achieve less than 250-millisecond switching

Instant Messaging An instant messaging capability which would run overthe secure IPv6 tunnel, and have buddy list of group members and apresence indicator.

Microsoft Outlook support: The ability to send and receive encryptedOutlook emails between members of a group. This would require aMicrosoft server resident variant of the PIANO client capable ofmaintaining persistent sessions with up to 100,000 PIANO client enableddevices.

Redundant PIANO Server: Distributed or hierarchical to be determined.Single image Directory or regional to be determined. Availability ofservice should exceed 99.999 percent.

Centralized Management of User Rights and Privileges: Residing on thePIANO server, the centralized management functions allow end customercentral administration to control the adding and deleting of employeesto a PIANO group, as well as assigning their rights and privileges.

Example of User Experience Using PIANO Mobile IPv6 Client

The client will interact with the PIANO Server utilizing the PIANOdefined packet formats and messages.

PIANO Client Interaction with Windows XP: In commercial service, thePIANO client will be downloaded and installed by the user in his Windowsmachine. In a specific implementation, the client software will beloaded from CD onto the target machine. Alternatively, the client may bedownloaded and installed. The client software shall utilize any of thestandard commercial tools (e.g., Install Shield) to install on thesystem. The PIANO client will be “always on” to monitor the availabilityor unavailability of an Internet connection. It must launch at machinestart-up and stay alive as a background process. Thus the installprocess must make the necessary Windows registry entries to supportthis. A desktop icon will be installed, which will activate the PIANOdesktop user interface.

The PIANO client software shall be able to run as a background process,without being flagged as a virus or spyware by the commerciallyavailable tools from vendors like Symantic, Trend Micro, and others. ThePIANO client shall also be able to tunnel through firewalls from theleading vendors: Microsoft, ZoneAlarm, and others. The PIANO clientbackground processes shall not have conflicts with other typicalprocesses running on Windows machines.

FIG. 12 shows a first installation screen. The first screen asks usersif they want to install the client. The client prompts the user on theinstallation location—as with all applications. For those clients whohave the client there is a deinstall option.

The install will include the IPv4 address or URL for the web server.When the client software is loaded the mobile client will connect to theURL of the web server.

FIG. 13 shows a second installation screen for entering a user ID. TheMOBILE CLIENT will be asked to enter a <user ID>, and will then beassigned an IPv6 address by the web server. The web server will thensend a message to the PIANO server providing the new user ID and IPv6address, in XML tagged format. Since the user ID must be unique, thePIANO server will check the new <user ID> against existing directoryentries. If the name is unique then the entry is set up in the PIANOserver directory, and a confirm message is returned to the Web server.If the user ID is not unique, the PIANO server will send a message tothe Web Server requesting an alternate <user ID>. The web server willprompt the user to select a new <user ID>.

FIG. 14 shows a third installation screen where the web server thensends a message to the client that the account has been set up.

FIG. 15 shows a first user account screen. The first the user will seeis a blank GUI except for the PIANO server folder. The PIANO serverfolder is for common documents such as help manuals that will appear onevery users GUI. The PIANO folder status shows that one document hasalready been sent to the user while three documents are available fordownload. If users click on the PIANO folder they will be able to viewthe contents.

FIG. 16 shows a view folders screen. Upon clicking the PIANO folder theuser can view documents (in this case the HELP manual) which has beensent (or PUSHED) to them and is available locally. Users will also seetitles of documents that are published—i.e., available for download byclicking.

FIG. 17 shows a create group screen. Users can now create folders tosend & share content with other users. To create a group the user mustsimply type in the valid id of another user. If they are unsure of theid they will be able to search the list of active users from the PIANOserver. In this example the user user1 has typed in the name user2 onhis create group interface to add a content folder to his GUI.

FIG. 18 shows a create content folder screen for other users. The PIANOclient then creates content folders for other users. As there is nocontent from the other users the status tables within the folders willbe blank. There will be no limit on the number of content folders a usercan create. Users that happen to be on-line (which the client will knowby receiving the binding update from the PIANO server) will have a greencolored folder. Off-line users will appear as a black colored folder.When user1 creates a user2 folder on his client, the clientautomatically creates a user1 folder on user2's client—even without hisasking.

FIG. 19 shows a share documents screen. Now that user1 has a user2folder he can both send (or PUSH) as well as publish content with him.To send content to a user (in this case document A to user2), user1simply drags the document to user2's folder. To publish content user1simply drags content to his GUI. Note published content will beavailable to all users. Thus both user2 and user3 will be able to viewdocument B, C, or D.

FIG. 20 shows a transmit detail screen. As sent content is actuallytransmitted to the other user a progress animation will appear. If theuser is on-line it will present again the content going directly tothem. If the user is off-line (like User3) it will represent the contentmoving to the PIANO server. There will be no progress animation forPUBLISHED content as only the document names are being sent.

FIG. 21 shows a check status screen. Now that the document has been sentUser1 can click on User2's folder to check status. He can see that thedocument has been sent. User1 can also see if User2 has either sent himsomething or published content to him.

FIG. 22 shows an options screen. User1 also has the option of disablingsome of the automatic group creation and transmit features. For example,user1 can disable other people from adding him to their client. If user1disables a function (like receiving documents) he will be prompted by apop-up that user2 is requesting to send a file. User1 can also view atransaction log of all of the events.

FIG. 23 shows transaction log screen. The transaction log showseverything from when user1 sent a binding update to the PIANO server.When user1 received a binding update for user2 (from the PIANO server)When user1 sent (or pushed) a document to user2 and so forth.

FIG. 24 shows an interface screen for another user. Moving to user2'sGUI we see that there is now a folder for user1 which was automaticallycreated. The folder shows that user1 has sent him one document andpublished three. User2 can exam the contents of user1's folder byclicking on it. Note as neither user3 nor user2 decided to create afolder for each other—user3's folder is not on user2's GUI.

FIG. 25 shows examining another user's folder. When user2's clicks onuser1's folder he see that he has been sent a document “A” and has threeothers which have been published. User2 now decides that he wants todownload document “B”—which he does by clicking.

FIG. 26 shows downloading a document. When user2 clicks on document “B”it creates an animation status if the other user is on-line. If the useris not on-line, the PULL command is sent to the PIANO server for laterretrieval.

FIG. 27 shows a file status screen. When the download is complete thedocument “B” viewable by simply clicking on it.

FIG. 28 shows a status update on a main screen. When user2 closes thefolder he can see that the status has been updated showing two filesreceived and two files published from user1.

The PIANO graphical user interface is a method by which users caninteract with the PIANO client to invoke PIANO applications. Theinterface is graphical, intuitive, and easy to use. The GUI window popsup in a window with the standard Microsoft minimize, maximize, and closebuttons on the top right corner. There may be additional pull-down menusto support other services.

The GUI has standard user computer actions: point and click, drag anddrop, and other operations to invoke PIANO applications. The user willlaunch the PIANO client by clicking on the desktop icon. In anembodiment, the user interface will appear as a simple pop-up window,with a list of folders and names representing the PIANO client “BuddyList.” Each folder will represent a contact person's PIANO client forthe purpose of sending and receiving files.

This description of the invention has been presented for the purposes ofillustration and description. It is not intended to be exhaustive or tolimit the invention to the precise form described, and manymodifications and variations are possible in light of the teachingabove. The embodiments were chosen and described in order to bestexplain the principles of the invention and its practical applications.This description will enable others skilled in the art to best utilizeand practice the invention in various embodiments and with variousmodifications as are suited to a particular use. The scope of theinvention is defined by the following claims.

1. A method comprising: providing a home agent server, coupled to anInternet Protocol version 4 (IPv4) network, managing Internet Protocolversion 6 (IPv6) clients; providing a first IPv6 client and second IPv6client coupled to the home agent via the IPv4 network; from the firstIPv6 client, sending to the home agent an IPv4 address and IPv6 addressassociated with the first IPv6 client; from the second IPv6 client,sending to the home agent an IPv4 address and IPv6 address associatedwith the second IPv6 client; when the first and second IPv6 clients areconnected to the home agent, implementing a first IPv6-over-IPv4 tunnelin the IPv4 network between the first IPv6 client and the second IPv6client, wherein the first IPv6-over-IPv4 tunnel does not pass throughthe home agent; and from the first IPv6 client, transferring data in anencrypted form using the first IPv6-over-IPv4 tunnel directly from thefirst IPv6 client to the second IPv6 client, where the data does notpass through the home agent.
 2. The method of claim 1 comprising: whenthe first IPv6-over-IPv4 tunnels fails, attempting to connect the firstIPv6 client to the second IPv6 client through the home agent.
 3. Themethod of claim 1 comprising: when the first IPv6 client initiates adata transfer to the second IPv6 client, at the home agent server,determining whether the first and second IPv6 client are behind anetwork address translation (NAT) firewall.
 4. The method of claim 3wherein the first IPv6 client makes a determination of whether the firstIPv6 client is behind a firewall by comparing its private IPv4 addressand its public IPv4 address, which is received from the home agentserver.
 5. The method of claim 4 wherein if the private IPv4 address isthe same as the public IPv4, the first IPv6 client is not behind afirewall.
 6. The method of claim 3 wherein the first IPv6 client makes adetermination of whether the second IPv4 client is behind a firewall bycomparing the second IPv4 client's private IPv4 address and public IPv4address, both of which are received from the home agent server.
 7. Themethod of claim 5 wherein if a public IPv4 address of the first IPv6client is the same as a public IPv4 address of the second IPv6 client,then the first and second IPv6 are behind the same NAT firewall.